UNM Financial Services announced the following on August 28th, 2014:
New procedures are going into effect in September involving purchases where a vendor will have access to UNM private data. Private data includes items such as Social Security Numbers, Protected Health Information (HIPAA), student grades, names & dates of birth of students/employees, credit card information, payroll or other financial information, or other data deemed sensitive or private.
Beginning 9/30/14, a new required field in all LoboMart requisitions will require the requester to alert the Purchasing department whenever a vendor will have access to UNM private data. Whenever this field is selected, Purchasing will instruct the user department to complete a Preliminary Security Review Form and submit it to the appropriate data steward (usually UNM IT or HSC Information Security). Purchasing will not be able to issue the PO until receiving an approval from the appropriate data steward.
In response to this requirement, HSC is announcing a new process to standardize our IT security review of software purchases in a manner that will be make it faster and easier to understand. Purchases for software deemed to involve sensitive or private UNM data are flagged by Purchasing to require an IT security review prior to Purchasing approval.
To initiate the review we ask that you and fill out one of our standard checklists and submit a request for a security review to the HSC-ISO@salud.unm.edu mailbox. In order to choose which checklist is appropriate first you need to determine if this is a locally installed software or if it is a web application with cloud storage components (is this an installed software or a web hosted/connected software). An easy way to determine which checklist applies to you is to find out if you actually download the software onto your local machine or if you login to a website to access the software.
Depending your application type you will need to complete one of the two checklists below
For assistance drafting the local departmental security procedure, please reference the guidance document and a sample security procedure submitted by another department. The guidance document will explain what we’re looking for and the example document will show you an example of what your policy will look like. Please do not copy verbatim, simply use the example procedure as a reference for drafting your own department’s documentation. Note that your procedure does not need to be a long tediously drafted document; we are simply looking for an authoritative document that states the approved/unapproved uses of the app (this can be a quickly drafted one page document).
When submitting your request please be sure to tell us if you have an urgent timeline associated with this security review as we can provide provisional approval (to get through purchasing) with the condition that you will draft the local departmental security procedure and provide it to us within two weeks. If you request the provisional approval, please note that we will still need to have the completed “Cloud Checklist” prior to providing this provisional approval.
If you don’t know the answers to any questions on the forms please ask us for clarification or just leave them blank and we will do some research to find the appropriate response.
